This section describes the process to install and configure the Agent, using PKI to authenticate communication with the Bridge.
|
Note |
Tripwire strongly recommends installation using a pre-shared key instead of PKI unless you have an existing centralized public key infrastructure and are comfortable with creating and maintaining certificate keys. Using a pre-shared key is equally secure, and greatly simplifies the configuration process. For installation instructions using a pre-shared key, see Installing the Agent Using a Pre-Shared Key. For more information about these different authentication methods, see Choosing an Authentication Method for Agents. |
|---|
The Bridge and Agent X.509 certificates must meet the following requirements:
The certificates must use an RSA key of a minimum size defined by FIPS 140-3.
The certificates on the Bridge and on each Agent must be signed by a common CA.
To create certificates and place them in a key store on the Tripwire Log Center Manager:
| 1. | Create an X.509 certificate to be used by the Bridge. |
| 2. | Place the Bridge certificate and the signed certificate chain into a Java BCFKS key store. |
For example, if you have a PKCS#12 key store that contains the Bridge's key and signed certificate, convert it to BCFKS format using the following keytool command:
keytool -importkeystore -srckeystore <path_to_PKCS#12_key_store> ‑srcstoretype PKCS12 -destkeystore bridge.ks -deststoretype BCFKS ‑srcstorepass <PKCS#12_key_store_password>
-deststorepass <tw.cap.bridge.keyStorePassword> -providername BCFIPS ‑providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
If you have a traditional Java key store (JKS format) that contains the Bridge's key and signed certificate, use a similar keytool command to convert it to BCFKS format:
keytool -importkeystore -srckeystore <path_to_JKS_key_store>
-destkeystore bridge.ks -deststoretype BCFKS
-srcstorepass <java_key_store_password>
-deststorepass <tw.cap.bridge.keyStorePassword> -providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
|
Tip |
Remember this key store password value that you specify for -deststorepass. You will need to specify this password in the next step. |
|---|
| 3. | Import the CA cert used to sign the Bridge certificates. |
keytool -import -alias tw_agent_ca -file <path_to_CA_certificate>
-keystore <path_to_bridge.ks> -storepass <password_for_bridge.ks>
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-storetype BCFKS -providername BCFIPS
|
Note |
The Bridge only needs to be configured on a Tripwire Log Center Manager once, before connecting to an Agent for the first time. If the Bridge has already been configured (that is, the Bridge is already connected to an Agent) proceed to Step 3. (Optional) Configuring a DNS SRV Record for the Agent's Domain. |
|---|
To configure the Tripwire Bridge on a Tripwire Log Center Manager:
| 1. | Ensure that a supported version of Tripwire Log Center Manager is installed. |
| 2. | Verify that port 5670 is available on the Tripwire Log Center Manager. |
| 3. | At a command prompt, enter the following command to stop the Bridge service: |
net stop TripwireBridge
| 4. | Open the following file in a text editor: |
<TLC_Manager_install_dir>\Agent Services\config\bridge_sample.properties
| 5. | Save a copy of this file with the name bridge.properties in the same directory. |
| 6. | In the bridge.properties file, complete the following steps: |
| a. | Locate the following line: |
#tw.cap.bridge.port=5670
This entry specifies the port with which the Tripwire Bridge will 'listen' for incoming log messages from Agents (5670 by default). If you want to use another port, remove the pound sign (#) from the beginning of the line and replace "5670" with the new port number.
| b. | Locate the following line, then remove the pound sign (#) and set the value to PKI to configure PKI authentication mode: |
#tw.cap.bridge.authMode=Pki
| c. | Locate the following line, then remove the pound sign and set the value to the certificate and key store’s password: |
#tw.cap.bridge.keyStorePassword=<keystore_password>
where <keystore_password> is the certificate and key store password for the Bridge certificate key store.
| d. | By default, the Bridge uses TLSv1.2 with cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. To change these settings, see Configuring TLS Versions and Cipher Suites. |
| e. | Save the file. |
| 7. | Copy the previously created certificate key store into place: |
<TLC_Manager_install_dir>\Agent Services\data\bridge\bridge.ks
|
Note |
The bridge directory will need to be created if it does not exist. |
|---|
| 8. | At a command prompt, enter the following command to start the Tripwire Bridge Service: |
net start TripwireBridge
|
Tip |
If you encounter a problem with the Bridge after configuration, review the Bridge log file to assess the issue: <TLC_Manager>/Agent Services/Jetty/logs/TripwireBridge-YYYY-MM-DD For additional assistance, contact Tripwire Support. |
|---|
In a Domain Name System (DNS), an SRV record (or service record) defines the hostnames and port numbers of servers running various services. If you have a DNS Server with an SRV record for the domain(s) containing the Agent host system, no further configuration of the host system will be required following the installation of Agent software (see Step 4. Installing the Agent). Instead, following installation, the Agent will query the DNS Server for any SRV records in the DNS domains associated with any IP addresses assigned to the Agent host system’s interfaces.
If you do not wish to employ DNS SRV records to configure the Agent, proceed to Step 4. Installing the Agent.
Otherwise, edit one of the DNS SRV records for the Agent host system's domains as described below.
To edit an SRV record on your DNS server:
| 1. | Open the SRV record for a domain containing the Agent host system. The name of the SRV record will appear in this format: |
_tw-agw._tcp.<domain_name>
where <domain_name> is the name of the domain.
| 2. | To specify the Tripwire Log Center Manager to which the Agent will send data, enter the server's IP address or host name in the Server Hostname field. |
| 3. | In the Port field, enter the number of the port on the Tripwire Log Center Manager to be used for communications with Agents. To use the default port, enter 5670. |
In this step, you will install the Agent software on an Agent host system. You must install the Agent software on each system that you want to monitor.
To install the Agent software, complete the appropriate steps for the Agent host system:
Installing the Agent on a Linux System
Installing the Agent on a Windows System
|
Caution |
After installation, the Agent will look for and use any To resolve this issue, before installing the Agent software:
Linux:/etc/tripwire Windows:%PROGRAMDATA%\Tripwire\agent\config
|
|---|
To install Agent software on a Linux system:
| 1. | See Supported Platforms to make sure that the Agent is supported on the target system. |
| 2. | Log in to the host system with a local administrator account. |
| 3. | Use the following command to install the software: |
rpm –ivh <installer_rpm_file>
where <installer_rpm_file> is the appropriate installer file (Table 16).
|
File name |
Target OS |
|---|---|
|
tw-via-agent-installer-linux-x86.rpm |
32-bit Linux systems |
|
tw-via-agent-installer-linux-x64.rpm |
64-bit Linux systems |
To install Agent software on a Windows system:
| 1. | See Supported Platforms to make sure that the Agent is supported on the target system. |
| 2. | Log in to the host system with a local administrator account. |
| 3. | To install the software in the default location (C:\Program Files\Tripwire\Agent), double-click the appropriate installer file (see Table 17) in the directory in which you unzipped the Agent installation package. |
To install the software in a different directory, open a command prompt and enter the following command:
<installer_file> INSTALLDIR=<target_binary_installation_dir>
where
<installer_file> is the name of the appropriate installer file (see Table 17), and
<target_binary_file_directory> is the full path to the target installation directory
|
File name |
Target OS |
|---|---|
|
TW_VIA_Agent_x86.msi |
32-bit Windows systems |
|
TW_VIA_Agent_x64.msi |
64-bit Windows systems |
Follow the steps below to create certificates and place them in a key store on each Agent that will connect with the Tripwire Log Center Manager.
To create certificates and place them in a key store on an Agent:
| 1. | Create an X.509 certificate for the Agent. |
| 2. | Place the Agent's certificate and the signed certificate chain into a PKCS#12 key store. |
|
Note |
The key store must use PBE-SHA1-3DES for obfuscation. Remember the password you specify for the Agent key store. You will need to specify this password in the next step. |
|---|
To configure an Agent to communicate with the Tripwire Log Center Manager, you edit the Agent's configuration file twagent.conf. You must edit the configuration file on each system where the Agent is installed.
To configure Agent:
| 1. | At a command prompt, enter one of the following commands to stop the Agent service: |
Linux:
/sbin/service twagent stop
Windows:
net stop TripwireViaAgent
| 2. | Open one of the following files in a text editor: |
Linux:
/etc/tripwire/twagent_sample.conf
Windows:
%PROGRAMDATA%\Tripwire\agent\config\twagent_sample.conf
| 3. | Save a copy of this file with the name twagent.conf in the same directory. |
| 4. | If you did not configure an SRV record in Step 3. (Optional) Configuring a DNS SRV Record for the Agent's Domain, you must manually enter the host name or IP address of the Tripwire Log Center Manager as the bridge.host option in the Agent configuration file. |
bridge.host=<product_server_hostname_or_IP>
If you did configure an SRV record, the Agent will query the DNS Server when you restart the Agent service (below). This query will attempt to identify an SRV record and use the hostname or IP address and port from the record to connect to the Bridge. If the query is successful, the Agent's running configuration will use these values as the bridge.host and bridge.port options (see Table 19).
| 5. | The Agent spools data to be sent to the Tripwire Log Center Manager's Bridge (see Getting Started with the Agent). Based on the speed with which the Agent collects data from the Agent host system, edit the spool.size.max option to adjust the size of the spool (see Table 18). |
|
Note |
When the Agent sends data to the Tripwire Log Center Manager, it first copies the data to the spool. If the connection is dropped, transmitted data may be lost. In this case, the server will ask the Agent to re-send the spooled data. A spool size that is too small will limit the Agent's ability to respond to such requests, while a spool size that is too large will needlessly fill the Agent's disk space with old data. |
|---|
|
Spool Size |
If the Agent collects ... |
Recommended value for spool.size.max |
|---|---|---|
|
Small |
... 1 to 5 events (i.e., log messages) per second (EPS) |
100 MB |
|
Medium |
... 6 to 10 events per second (EPS) |
500 MB |
|
Large |
... 11 or more events per second (EPS) |
1 GB |
| 6. | As needed, edit the values of the other options in the Agent configuration file (see Table 19). |
| 7. | (Optional) To configure the Agent to communicate through a SOCKS5 proxy, edit the values for the SOCKS5 settings. For more information, see Table 20. |
| 8. | (Optional) By default, the Agent uses TLSv1.2 with cipher suites DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384. To change these settings, see Configuring TLS Versions and Cipher Suites. |
| 9. | Set the following values in the twagent.conf file to enable PKI authentication mode: |
bridge.auth.mode=pki
keystore.password=<keystore_password>
where <keystore_password> is the certificate and key store password for this Agent's certificate store.
| 10. | Copy the keystore.p12 certificate store for this Agent into one of these directories: |
Linux: /etc/tripwire/trust
Windows: %PROGRAMDATA%\Tripwire\agent\config\trust
|
Note |
The trust directory will need to be created if the Agent has not been previously started. |
|---|
| 11. | At a command prompt, enter one of the following commands to start the Agent service: |
Linux:
/sbin/service twagent start
Windows:
net start TripwireViaAgent
| 12. |
|
|
Tip |
If you encounter a problem with the Agent after configuration, review the Agent log file to assess the issue: Linux: /var/log/tripwire/twagent.log Windows: %PROGRAMDATA%\Tripwire\agent\log\twagent.log For information on interpreting error messages, see Agent Error Messages. For additional assistance, contact Tripwire Support. |
|---|
|
Option |
Description |
|---|---|
|
bridge.host |
The host name or IP address of the TLC Manager to which this Agent will connect. For more information, see Step 2. Configuring the Bridge on a Tripwire Log Center Manager. |
|
bridge.port |
The port on the TLC Manager used for communication between the Bridge and the Agent. (Default = 5670) |
|
dns.service.domain |
Specifies a DNS domain other than the Agent host system's domain for SRV record lookup. |
|
dns.service.name |
Specifies a DNS service name. (Default = _tw-agw) |
|
registration.file.name |
The name of the file containing the registration pre-shared key (defined in Step 1. Configuring the Bridge on a Tripwire Log Center Manager) for the Agent to register with the Bridge. (Default = registration_pre_shared_key.txt) The Agent searches for the specified file name in the following directory: Linux: /etc/tripwire
|
|
spool.size.max |
The maximum size of the spool with which the Agent collects data from the Agent host system. (Default = 1GB) For sizing guidelines, see Table 18. |
|
Option |
Description |
|---|---|
|
tls.version |
The TLS version used to connect with the Bridge. Valid options are TLSv1, TLSv1.1, and TLSv1.2. Only one TLS version can be specified here. For information on changing the TLS version and cipher suites, see Configuring TLS Versions and Cipher Suites. Default value: TLSv1.2 |
|
tls.cipher.suites |
A colon-delimited list of cipher suites used by the Agent when it connects to the Bridge. Only OpenSSL FIPS-compatible cipher suites which utilize RSA keys are supported. Default value: DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 |